Due to the easy maintenanceability of the NT system, more and more SMEs use it on their own websites and the internal office management system, and many are used by default IIS to use the web server. Of course, several vulnerabilities that cannot be denied the NT system are due to improper IIS configuration, and foreseeable, future IIS will also have many new vulnerabilities and security issues, but as long as we do reasonable security configuration, or Avoid a lot of safety hazards. This article does not have a system how to fully configure IIS, I just use SSL encrypted HTTP channels to enhance IIS security.
Establish an SSL security mechanism
IIS identity authentication In addition to anonymous access, basic verification and Windows NT request / response method, there is also a higher security authentication, which is the use of digital certificates through the SSL (Security Socket Layer) security mechanism. The SSL (Encryption Socket Signal Layer) is located between the HTTP layer and the TCP layer, establishes encrypted communication between the user and the server to ensure the security of the transmitted information. The SSL is based on the public key and private key. Any user can obtain a public key to encrypt data, but decrypt data must pass the corresponding private key. When using the SSL security mechanism, firstally, the client is connected to the server, and the server sends its digital certificate to the client, the client randomly generates the session key, and uses the public key pair of public key from the server. The key is encrypted, and the session key is passed to the server on the network, and the session key can only decrypt the server side with a private key, so that the client and server end have established a unique security channel.
After establishing an SSL security mechanism, only SSL allowed customers can communicate with the WEB site allowed by SSL, and when using the URL resource locator, enter https: // instead of http: //.
Simplely said that the HTTP protocol we use is without any encryption, all the messages are transmitted on the web, and malicious attackers can get our and servers by installing the listener. Communication content. This hazard is particularly relatively large in some enterprise internal networks. It is simply no safety to use Hub's intranet, because anyone can see the activities in the network on a computer, The network using the switch to network network is much smaller, but many times there will be a safe breakthrough, such as the default user and password of the switch, and it is placed to set his network interface to the listener. All activities of the entire network can still be monitored.
So comprehensively encrypting the entire network transmission tunnel is inde a good security measures. It is a pity that it is not a lot of articles on the Internet on the Internet to configure SSL, I am simple to explore my experience. .
Operating method
I am explained by the Win2000 server version. We first need to fill in the Windows component in the Control Panel to install the certificate service, this service is not installed in the system in the default installation, you need to install the disc installation.
Then select the type of installation of the Separate CA. Then you get a name to your CA in the next step to complete the installation.
After the installation is complete, we can start our IIS Manager to apply for a digital certificate. Start the Internet Manager to select the Web site we need to configure:
Select site properties, directory security - secure communication - server certificate
Since we are the first configuration, choose a new certificate.
You can set with the default site name and encrypted grade.
In fact, the above settings are very simple, see a few sets of settings I can make very simple settings, it is best to choose a place to save a request certificate we just generated.
After completing the above settings, we have to submit our server certificates to our certificate server that we have just installed locally. By default, the certificate server completes several virtual directories in the web server in the local IIS after installation. We open http://localhost/certsrv/default.asp
Select the application certificate
When selecting the application type, select Advanced Application.
Choose to use the base64 encoding method to submit our certificate application.
The contents of the Certreq.txt we have just generated in the certificate are copied, and then submitted.
After submitting success, it will return a page to tell us that the certificate has been successfully submitted, and now the state is waiting for the CA Center to issue this certificate.
It is better to start the certificate authority in the management tool, find the application entry we have just applied in the application, and then click the right mouse button to choose the issuance.
After the success, we found the certificate issued by the certificate, double-click its property column and then select copied the certificate to the file in the details.
We need to guide the certificate to a file, here we export the certificate to the C: / SQL.cer.
Return to the IIS's Web Management interface to reselect the certificate application. At this time, the interface comes out is the pending certificate.
Select the SQL.cer of our guided SQL.cer.
To determine that everything is correct, you can click Next to determine to complete the installation of SSL.
After the default installation is over, the SSL does not start the encrypted channel we need to give our site SSL, and determine that the port used by HTTPS is 443.
When I entered the site through HTTPS, there will be a dialog that let us confirm whether to agree to the current certificate, of course it is agreed ~
Ok, this time we look at this website, all information is transmitted online, and anyone can easily understand the content.
Let's see the listening results of the two IRIs after encryption before and after encryption:
Before encryption:
After encryption:
In the last simple nonsense, the encrypted SSL will slow down when browsing the ordinary no encrypted web, mainly because the encrypted tunnel will also occupy a point of CPU resources, for those WEB sites without any secret There is no need to use an encrypted SSL channel. As long as there is this necessity for those important directories and sites.
9CBS ID Yishao (Dragon) (www.94888.net)
